In recent years, individuals, organizations and governments have grown increasingly aware of the importance of protecting personal privacy. As such, many organizations in both the public and private sectors have implemented privacy protection measures to ensure proper handling of personal information. Furthermore, many jurisdictions have enacted legislation to create rules governing handling of personal information. For example, in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides a set of rules governing how private sector organizations may obtain, use or disclose personal information in the course of business.
An organization implementing privacy protection measures should routinely assess its implementation of those measures to ensure that privacy is effectively protected. An organization should also routinely assess its privacy protection measures against the requirements imposed by privacy protection legislation, to ensure that it is compliant with such legislation.
However, assessing an organization's implementation of the privacy protection measures and its compliance with privacy protection legislation may be challenging, especially for large organizations. For example, implementation of privacy protection measures may not be uniform throughout an organization. Exposure to personal privacy may vary throughout an organization. Operations may span different industries and/or different legal jurisdictions such that different privacy protection rules may apply to different parts of an organization. Thus, it may be difficult to obtain accurate assessments reflective of an organization as a whole.